New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Report] van-picker组件中的 allow-html 属性默认值存在xss注入风险 #13161

Closed

liurui981112 opened this issue Oct 14, 2024 · 1 comment

Labels

2.x bug: need confirm

liurui981112 commented Oct 14, 2024

重现链接

xxx

Vant 版本

2.13.2

描述一下你遇到的问题。

官方文档中van-picker组件中的allow-html属性默认值为 true，会默认将选项里中的值作为html进行解析，对于不可信的数据存在xss注入的风险，除非手动进行数据处理，或者修改默认值，不然很难发现这个潜在风险。从安全角度考虑，建议默认值改为false更加合理。

重现步骤

设备/浏览器

No response

liurui981112 added the bug: need confirm label

inottn added the 2.x label

github-actions bot commented Oct 14, 2024

Hi @liurui981112. Current version (2.x) has reached End of Life. We recommend using the latest 4.x version (LTS). This issue will be auto closed.

你好 @liurui981112，当前版本（2.x）已经终止支持且不再维护。我们建议使用最新的 4.x 版本。当前 issue 会被自动关闭。

github-actions bot closed this as not planned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment